|
|
You're in the
iis security
group:IIS6 ASP and com socket security(?) problem
iis security:
The application runs an activeX on the server sid, which connects to another machine using TCP/IP sockets. It works on the IIS5 but not on the IIS6. I create the object with no problems, but calling the method that opens the socket fails, and I get a message regarding error 80010105. I believe it is a security problem and would like to know what are the steps required for successfuly openning a socket using an activeX called from an ASP page. The os is server 2003, and the activeX dll is written in vc++. Thanks,
Hi Ofer,
I wonder if run the same code in a .vbs file with cscript, will it work? To confirm the issue is just related to IIS security setting, you can maximize the ASP running permission. 1) Right-click the site's Application pool in IIS mmc and open its Properties->Identity tab. Change the running account from Network service(default) to Local System. 2) In the ASP page's virtaul directory->Directory Security tab->Authentication and access control, disable anonymous access and select Integrated Windows authentication. 3) Use iisreset in a command line to restart IIS. After that, logon as administrator to browse this page. Then the site's process identifier is Local System and the asp thread's identifier is administrator. See if the error will no longer occur. If it persists, probably the code isn't compatible to run in IIS6 wpm(worker process mode). In IIS6 mmc, right-click the 'Web Sites' folder and open properties. In Service tab, switch IIS6 to run in IIS5 isolation mode to have a test. Please update here on any results or you need further assistance. Have a nice day, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Thank you for the prompt response.
I ran some tests, as you described and found out the following: 1. A vb application running under loacl administrator succeeds in the object creation, and in calling the function that creates the socket, and communication wokrs fine. 2. The asp page using the "network service" and local IUSR succeeds in object cration, but fails in the function call that create the socket. 3. Denying the local IUSR from accessing the dll that runs the com object results in a failure in the asp page creating the object. 4. Explicitly allowing the IUSR access to the dll (no matter what application pool account) - fails again as in test #2. What next? Thanks, Ofer. [quoted text, click to view] v-wzhang@online.microsoft.com ("WenJun Zhang[MSFT]") wrote in message news:<adt8h11$DHA.1268@cpmsftngxa06.phx.gbl>...
> Hi Ofer, > > I wonder if run the same code in a .vbs file with cscript, will it > work? To confirm the issue is just related to IIS security setting, > you can maximize the ASP running permission. > > 1) Right-click the site's Application pool in IIS mmc and open its > Properties->Identity tab. Change the running account from Network > service(default) to Local System. > > 2) In the ASP page's virtaul directory->Directory Security > tab->Authentication and access control, disable anonymous access and > select Integrated Windows authentication. > > 3) Use iisreset in a command line to restart IIS. > > After that, logon as administrator to browse this page. Then the > site's process identifier is Local System and the asp thread's > identifier is administrator. See if the error will no longer occur. > If it persists, probably the code isn't compatible to run in IIS6 > wpm(worker process mode). > > In IIS6 mmc, right-click the 'Web Sites' folder and open properties. > In Service tab, switch IIS6 to run in IIS5 isolation mode to have a > test. > > Please update here on any results or you need further assistance. > Have a nice day, > > WenJun Zhang > Microsoft Online Support > This posting is provided "AS IS" with no warranties, and confers no > rights.
Hello Ofer,
I wonder what the detailed error message was in IE? Please make sure 'Show friendly HTTP error message' has been disabled in IE Internet options->Advanced. Also, as I suggested in the previous thread, have you tested the page with integrated windows auth? We should confirm at least the page can work with administrator account's permission. For further troubleshooting, you can enable security auditting to see if it is able to log some detailed permission denied events of this error. To do this, go to administrative tools->Local Security Settings->Local Policies->Audit Policy, enable all kinds of failure audits. Then open event viewer, clear and save as current Security log. Browse to the page to reproduce the error, refresh the security log to check if there is any failed events. You can also enable auditting for specific files or folders, FYI: 300958 HOW TO: Monitor for Unauthorized User Access in Windows 2000 http://support.microsoft.com/?id=300958 301640 HOW TO: Set, View, Change, or Remove Auditing for a File or Folder in http://support.microsoft.com/?id=301640 Looking forward to your results. Have a nice day, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Hello Ofer,
Any progress or findings on this issue? Have a nice day, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Hello WenJun
The problem was not solved, but a workaround solution has been found. Instead of using regsvr32 to register the dll, we defined the dll as a com+ application. The strange thing is that we used the IIS user as the "Identity" for this com+ application, and cancelled the access check (under Security tab) and the object could be called from the .asp page, without any changes to the dll's permissions. To sum up: From a vb application, the registered dll worked fine. From an asp page - the object was created ok, but through an exception when created a socket. From an asp page useing the com+ workarund, using the IIS user as its identity - the object worked fine. Maybe it is not a security issue, but rather a bug related somehow to security and identities. Notice that there are some more resources over the net talking about the same or similar problem, when trying to create a socket, moving from IIS5 to IIS6. Thanks again,
Hmm.. wrapping the dll into a COM+ package and disable access check,
sounds a smart workaround, thanks for inform me of this. :-) Please don't hesitate to post here if you meet other IIS issues in futher. I'm pleased to discuss them with you. Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
see
http://groups.google.com/groups?hl=en&lr=lang_en|lang_iw&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=6b1986c8cd600446&seekm=956fdc35.0401180906.147c6e2c%40posting.google.com#link8
Thanks for the details Ofer. Now the issue is quite clear to me as
well. :-) And I'd mention the solution you found: Wrapping COM dll to COM+ to specify a running identifier is a very useful and familiar way to work around component permission issues in ASP. Hope you have a nice week. Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
I encountered a similar problem calling a COM object from ASP. The
object contains a call to CSocket::Create, which would throw an exception. By simply setting the password of the IUSR_MACHINENAME to something different, everything worked again. [quoted text, click to view] "WenJun Zhang[msft]" wrote:
> Thanks for the details Ofer. Now the issue is quite clear to me as > well. :-) > And I'd mention the solution you found: Wrapping COM dll to COM+ to > specify a running identifier is a very useful and familiar way to > work around component permission issues in ASP. > > Hope you have a nice week. > > Best regards, > > WenJun Zhang > Microsoft Online Support > This posting is provided "AS IS" with no warranties, and confers no > rights. > Get Secure! - www.microsoft.com/security
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |